Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XMLEventReader causes OutOfMemoryError with invalid XML declaration #96

Closed
dancek opened this issue Apr 20, 2016 · 4 comments
Closed

XMLEventReader causes OutOfMemoryError with invalid XML declaration #96

dancek opened this issue Apr 20, 2016 · 4 comments
Labels
duplicate

Comments

@dancek
Copy link

dancek commented Apr 20, 2016

I initially noticed this bug because a third-party REST API returns malformed XML on some occasions, which causes our server to run out of memory.

After a lot of head-scratching I found that an unclosed attribute string in the XML declaration causes this systematically. Here's the simplest example of reproducing the bug that I've found:

import scala.xml.pull.XMLEventReader
import scala.io.Source

object XMLEventReader_OutOfMemory {
    def main(args: Array[String]): Unit = {
        val src = Source.fromString("<?xml x=\"")
        new XMLEventReader(src)
    }
}

Running the code causes an OutOfMemoryException:

$ scalac XMLEventReader_OutOfMemory.scala && scala XMLEventReader_OutOfMemory
Exception in thread "XMLEventReader" java.lang.OutOfMemoryError: Java heap space
    at java.util.Arrays.copyOf(Arrays.java:3332)
    at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:137)
    at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:121)
    at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:622)
    at java.lang.StringBuilder.append(StringBuilder.java:202)
    at scala.collection.mutable.StringBuilder.append(StringBuilder.scala:267)
    at scala.xml.parsing.MarkupParserCommon.xAttributeValue(MarkupParserCommon.scala:70)
    at scala.xml.pull.XMLEventReader$Parser.xAttributeValue(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParserCommon.xAttributeValue(MarkupParserCommon.scala:78)
    at scala.xml.pull.XMLEventReader$Parser.xAttributeValue(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.xAttributes(MarkupParser.scala:318)
    at scala.xml.pull.XMLEventReader$Parser.xAttributes(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.xmlProcInstr(MarkupParser.scala:143)
    at scala.xml.pull.XMLEventReader$Parser.xmlProcInstr(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.prologOrTextDecl(MarkupParser.scala:159)
    at scala.xml.parsing.MarkupParser.prolog(MarkupParser.scala:209)
    at scala.xml.pull.XMLEventReader$Parser.prolog(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.document(MarkupParser.scala:239)
    at scala.xml.pull.XMLEventReader$Parser.document(XMLEventReader.scala:60)
    at scala.xml.pull.XMLEventReader$Parser.scala$xml$pull$XMLEventReader$Parser$$$anonfun$2(XMLEventReader.scala:96)
    at scala.xml.pull.XMLEventReader$Parser$$Lambda$93/1925707867.apply(Unknown Source)
    at scala.xml.pull.ProducerConsumerIterator.interruptibly(XMLEventReader.scala:125)
    at scala.xml.pull.XMLEventReader.interruptibly(XMLEventReader.scala:27)
    at scala.xml.pull.XMLEventReader$Parser.run(XMLEventReader.scala:96)
    at java.lang.Thread.run(Thread.java:745)
@biswanaths
Copy link
Contributor

biswanaths commented Apr 20, 2016
edited
Loading

Thanks @dancek for reporting this. This looks serious to me.

@lespea
Copy link

lespea commented Apr 20, 2016

This was already reported here: #35 with a fix provided in #92

I have a fork where I merged this and a few other pull requests here: https://github.com/lespea/scala-xml

@dancek
Copy link
Author

dancek commented Apr 20, 2016

@lespea thanks, good to know. We'll need to discuss either using your fork in production or starting our own fork of scala-xml.

I'm sure you all know it, but this bug is an extremely effective DoS attack vector.

@lespea
Copy link

lespea commented Apr 20, 2016

@dancek if you encounter any problems feel free to send me pull requests; I'd like to maintain my fork at least a little bit until this gets attention by the maintainers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@biswanaths @lespea @SethTisue @dancek